On Wed, Oct 8, 2014 at 1:59 AM, dE <de.tec...@gmail.com> wrote: > On 10/07/14 18:12, Igor Cicimov wrote: > > > > On Tue, Oct 7, 2014 at 2:51 AM, dE <de.tec...@gmail.com> wrote: > >> Hi. >> >> I'm in a situation where I got 3 certificates >> >> server.pem -- the end user certificate which's sent by the server to the >> client. >> intermediate.pem -- server.pem is signed by intermediate.pem's private >> key. >> issuer.pem -- intermediate.pem is signed by issuer.pem's private key. >> >> combined.pem is created by -- >> >> cat server.pem intermediate.pem > combined.pem >> >> Issuer.pem is installed in the web browser. >> >> The chain is working, I can verify this via the SSL command -- >> >> cat intermediate.pem issuer.pem > cert_bundle.pem >> openssl verify -CAfile cert_bundle.pem server.pem >> server.pem: OK >> >> However the browsers (FF, Chrome, Konqueror and wget) fail >> authentication, claiming there are no certificates to verity server.pem's >> signature. >> >> I'm using Apache 2.4.10 with the following -- >> >> SSLCertificateFile /tmp/combined.pem >> SSLCertificateKeyFile /tmp/server.key >> >> > Try this: > > $ cat issuer.pem intermediate.pem > CA_chain.pem > > SSLCertificateFile server.pem > SSLCertificateKeyFile server.key > SSLCertificateChainFile CA_chain.pem > > > Tried this on Apache 2.2 (SSLCertificateChainFile does not work with 2.4) > with the same issue. >
Hmm in that case you have something mixed up or simply this can not work for self signed certificates since this is exactly what I'm using on Apache 2.2.24/26 on all our company web sites: a certificate signed by CA authority and a chain certificate file where the authorities CA and Intermediate certs have been concatenated. Can you show us the output of: openssl x509 -noout -in cert.pem -text for all your sertificates?
